CERT Summary CS-2003-04

From: CERT Advisory (cert-advisory_at_cert.org)
Date: 11/24/03

  • Next message: CERT Advisory: "CERT Summary CS-2003-04"
    Date: Mon, 24 Nov 2003 15:27:10 -0500
    To: cert-advisory@cert.org
    
    

    -----BEGIN PGP SIGNED MESSAGE-----

    CERT Summary CS-2003-04

       November 24, 2003

       Each quarter, the CERT Coordination Center (CERT/CC) issues the CERT
       Summary to draw attention to the types of attacks reported to our
       incident response team, as well as other noteworthy incident and
       vulnerability information. The summary includes pointers to sources of
       information for dealing with the problems.

       Past CERT summaries are available from:

              CERT Summaries
              http://www.cert.org/summaries/
       ______________________________________________________________________

    Recent Activity

       Since the last regularly scheduled CERT summary, issued in September
       2003 (CS-2003-03), we have documented vulnerabilities in the Microsoft
       Windows Workstation Service, RPCSS Service, and Exchange. We have also
       documented vulnerabilities in various SSL/TLS implementations, a
       buffer overflow in Sendmail, and a buffer management error in OpenSSH.
       We have received reports of W32/Swen.A, W32/Mimail variants, and
       exploitation of an Internet Explorer vulnerability reported in August
       of 2003.

       For more current information on activity being reported to the
       CERT/CC, please visit the CERT/CC Current Activity page. The Current
       Activity page is a regularly updated summary of the most frequent,
       high-impact types of security incidents and vulnerabilities being
       reported to the CERT/CC. The information on the Current Activity page
       is reviewed and updated as reporting trends change.

              CERT/CC Current Activity
              http://www.cert.org/current/current_activity.html

        1. W32/Mimail Variants

           The CERT/CC has received reports of several new variants of the
           'Mimail' worm. The most recent variant of the worm (W32/Mimail.J)
           arrives as an email message alleging to be from the Paypal
           financial service. The message requests that the recipient
           'verify' their account information to prevent the suspension of
           their Paypal account. Attached to the email is an executable file
           which captures this information (if entered), and sends it to a
           number of email addresses.

                    Current Activity - November 19, 2003
                    http://www.cert.org/current/archive/2003/11/19/archive.html#mimaili

        2. Buffer Overflow in Windows Workstation Service

           A buffer overflow vulnerability exists in Microsoft's Windows
           Workstation Service (WKSSVC.DLL) allowing an attacker to execute
           arbitrary code or cause a denial-of-service condition.

                    CERT Advisory CA-2003-28
                    Buffer Overflow in Windows Workstation Service
                    http://www.cert.org/advisories/CA-2003-28.html

                    Vulnerability Note VU#567620
                    Microsoft Windows Workstation service vulnerable to
                    buffer overflow when sent specially crafted network
                    message
                    http://www.kb.cert.org/vuls/id/567620

        3. Multiple Vulnerabilities in Microsoft Windows and Exchange

           Multiple vulnerabilities exist in Microsoft Windows and Microsoft
           Exchange, the most serious of which could allow remote attackers
           to execute arbitrary code.

                    CERT Advisory CA-2003-27
                    Multiple Vulnerabilities in Microsoft Windows and
                    Exchange
                    http://www.cert.org/advisories/CA-2003-27.html

                    Vulnerability Note VU#575892
                    Buffer overflow in Microsoft Windows Messenger Service
                    http://www.kb.cert.org/vuls/id/575892

                    Vulnerability Note VU#422156
                    Microsoft Exchange Server fails to properly handle
                    specially crafted SMTP extended verb requests
                    http://www.kb.cert.org/vuls/id/422156

                    Vulnerability Note VU#467036
                    Microsoft Windows Help and support Center contains buffer
                    overflow in code used to handle HCP protocol
                    http://www.kb.cert.org/vuls/id/467036

                    Vulnerability Note VU#989932
                    Microsoft Windows contains buffer overflow in Local
                    Troubleshooter ActiveX control (Tshoot.ocx)
                    http://www.kb.cert.org/vuls/id/989932

                    Vulnerability Note VU#838572
                    Microsoft Windows Authenticode mechanism installs ActiveX
                    controls without prompting user
                    http://www.kb.cert.org/vuls/id/838572

                    Vulnerability Note VU#435444
                    Microsoft Outlook Web Access (OWA) contains cross-site
                    scripting vulnerability in the "Compose New Message" form
                    http://www.kb.cert.org/vuls/id/435444

                    Vulnerability Note VU#967668
                    Microsoft Windows ListBox and ComboBox controls vulnerable
                    to buffer overflow when supplied crafted Windows message
                    http://www.kb.cert.org/vuls/id/967668

        4. Multiple Vulnerabilities in SSL/TLS Implementations

           Multiple vulnerabilities exist in the Secure Sockets Layer (SSL)
           and Transport Layer Security (TLS) protocols allowing an attacker
           to execute arbitrary code or cause a denial-of-service condition.

                    CERT Advisory CA-2003-26
                    Multiple Vulnerabilities in SSL/TLS Implementations
                    http://www.cert.org/advisories/CA-2003-26.html

                    Vulnerability Note VU#935264
                    OpenSSL ASN.1 parser insecure memory deallocation
                    http://www.kb.cert.org/vuls/id/935264

                    Vulnerability Note VU#255484
                    OpenSSL contains integer overflow handling ASN.1 tags (1)
                    http://www.kb.cert.org/vuls/id/255484

                    Vulnerability Note VU#380864
                    OpenSSL contains integer overflow handling ASN.1 tags (2)
                    http://www.kb.cert.org/vuls/id/380864

                    Vulnerability Note VU#686224
                    OpenSSL does not securely handle invalid public key when
                    configured to ignore errors
                    http://www.kb.cert.org/vuls/id/686224

                    Vulnerability Note VU#732952
                    OpenSSL accepts unsolicited client certificate messages
                    http://www.kb.cert.org/vuls/id/732952

                    Vulnerability Note VU#104280
                    Multiple vulnerabilities in SSL/TLS implementations
                    http://www.kb.cert.org/vuls/id/104280

                    Vulnerability Note VU#412478
                    OpenSSL 0.9.6k does not properly handle ASN.1 sequences
                    http://www.kb.cert.org/vuls/id/412478

        5. Exploitation of Internet Explorer Vulnerability

           The CERT/CC received a number of reports indicating that attackers
           were actively exploiting the Microsoft Internet Explorer
           vulnerability described in VU#865940. These attacks include the
           installation of tools for launching distributed denial-of-service
           (DDoS) attacks, providing generic proxy services, reading
           sensitive information from the Windows registry, and using a
           victim system's modem to dial pay-per-minute services. The
           vulnerability described in VU#865940 exists due to an interaction
           between IE's MIME type processing and the way it handles HTML
           application (HTA) files embedded in OBJECT tags.

                    CERT Advisory IN-2003-04
                    Exploitation of Internet Explorer Vulnerability
                    http://www.cert.org/incident_notes/IN-2003-04.html

                    Vulnerability Note VU#865940
                    Microsoft Internet Explorer does not properly evaluate
                    "application/hta" MIME type referenced by DATA attribute
                    of OBJECT element
                    http://www.kb.cert.org/vuls/id/865940

        6. W32/Swen.A Worm

           On September 19, the CERT/CC began receiving a large volume of
           reports of a mass mailing worm, referred to as W32/Swen.A,
           spreading on the Internet. Similar to W32/Gibe.B in function, this
           worm arrives as an attachment claiming to be a Microsoft Internet
           Explorer Update or a delivery failure notice from qmail. The
           W32/Swen.A worm requires a user to execute the attachment either
           manually or by using an email client that will open the attachment
           automatically. Upon opening the attachment, the worm attempts to
           mail itself to all email addresses it finds on the system. The
           CERT/CC updated the current activity page to contain further
           information on this worm.

                    Current Activity - September 19, 2003
                    http://www.cert.org/current/archive/2003/09/19/archive.html#swena

        7. Buffer Overflow in Sendmail

           Sendmail, a widely deployed mail transfer agent (MTA), contains a
           vulnerability that could allow an attacker to execute arbitrary
           code with the privileges of the sendmail daemon, typically root.

                    CERT Advisory CA-2003-25
                    Buffer Overflow in Sendmail
                    http://www.cert.org/advisories/CA-2003-25.html

                    Vulnerability Note VU#784980
                    Sendmail prescan() buffer overflow vulnerability
                    http://www.kb.cert.org/vuls/id/784980

        8. Buffer Management Vulnerability in OpenSSH

           A remotely exploitable vulnerability exists in a buffer management
           function in versions of OpenSSH prior to 3.7.1. This vulnerability
           could enable an attacker to cause a denial-of-service condition.

                    CERT Advisory CA-2003-24
                    Buffer Management Vulnerability in OpenSSH
                    http://www.cert.org/advisories/CA-2003-24.html

                    Vulnerability Note VU#333628
                    OpenSSH contains buffer management errors
                    http://www.kb.cert.org/vuls/id/333628

        9. RPCSS Vulnerabilities in Microsoft Windows

           On September 10, the CERT/CC reported on three vulnerabilities
           that affect numerous versions of Microsoft Windows, two of which
           are remotely exploitable buffer overflows that may an allow an
           attacker to execute code with system privileges.

                    CERT Advisory CA-2003-23
                    RPCSS Vulnerabilities in Microsoft Windows
                    http://www.cert.org/advisories/CA-2003-23.html

                    Vulnerability Note VU#483492
                    Microsoft Windows RPCSS Service contains heap overflow in
                    DCOM activation routines
                    http://www.kb.cert.org/vuls/id/483492

                    Vulnerability Note VU#254236
                    Microsoft Windows RPCSS Service contains heap overflow in
                    DCOM request filename handling
                    http://www.kb.cert.org/vuls/id/254236

                    Vulnerability Note VU#326746
                    Microsoft Windows RPC service vulnerable to
                    denial of service
                    http://www.kb.cert.org/vuls/id/326746
       ______________________________________________________________________

    New CERT Coordination Center (CERT/CC) PGP Key

       On October 15, the CERT/CC issued a new PGP key, which should be used
       when sending sensitive information to the CERT/CC.

              CERT/CC PGP Public Key
              https://www.cert.org/pgp/cert_pgp_key.asc

              Sending Sensitive Information to the CERT/CC
              https://www.cert.org/contact_cert/encryptmail.html
       ______________________________________________________________________

    What's New and Updated

       Since the last CERT Summary, we have published new and updated
         * Advisories
           http://www.cert.org/advisories/
         * Vulnerability Notes
           http://www.kb.cert.org/vuls
         * CERT/CC Statistics
           http://www.cert.org/stats/cert_stats.html
         * Congressional Testimony
           http://www.cert.org/congressional_testimony
         * Training Schedule
           http://www.cert.org/training/
         * CSIRT Development
           http://www.cert.org/csirts/
       ______________________________________________________________________

       This document is available from:
       http://www.cert.org/summaries/CS-2003-04.html
       ______________________________________________________________________

    CERT/CC Contact Information

       Email: cert@cert.org
              Phone: +1 412-268-7090 (24-hour hotline)
              Fax: +1 412-268-6989
              Postal address:
              CERT Coordination Center
              Software Engineering Institute
              Carnegie Mellon University
              Pittsburgh PA 15213-3890
              U.S.A.

       CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
       EDT(GMT-4) Monday through Friday; they are on call for emergencies
       during other hours, on U.S. holidays, and on weekends.

    Using encryption

       We strongly urge you to encrypt sensitive information sent by email.
       Our public PGP key is available from
       http://www.cert.org/CERT_PGP.key

       If you prefer to use DES, please call the CERT hotline for more
       information.

    Getting security information

       CERT publications and other security information are available from
       our web site
       http://www.cert.org/

       To subscribe to the CERT mailing list for advisories and bulletins,
       send email to majordomo@cert.org. Please include in the body of your
       message

       subscribe cert-advisory

       * "CERT" and "CERT Coordination Center" are registered in the U.S.
       Patent and Trademark Office.
       ______________________________________________________________________

       NO WARRANTY
       Any material furnished by Carnegie Mellon University and the Software
       Engineering Institute is furnished on an "as is" basis. Carnegie
       Mellon University makes no warranties of any kind, either expressed or
       implied as to any matter including, but not limited to, warranty of
       fitness for a particular purpose or merchantability, exclusivity or
       results obtained from use of the material. Carnegie Mellon University
       does not make any warranty of any kind with respect to freedom from
       patent, trademark, or copyright infringement.
       ______________________________________________________________________

       Conditions for use, disclaimers, and sponsorship information

       Copyright 2003 Carnegie Mellon University.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8

    iQCVAwUBP8JVOZZ2NNT/dVAVAQGL9wP+I18NJBUBuv7b0pam5La7E7qOQFMn5n78
    7i0gBX/dKgaY5siM6jBYYwCbbA7Y0/Jwtby2zHp1s8RHZY5/3JEzElfv4TLlR8rT
    rb8gJDbpan2JWA6xH9IzqZaSrxrXpNypwU2wWxR2osmbYl8FdV0rD3ZYXJjyi+nU
    UENALuNdthA=
    =DD60
    -----END PGP SIGNATURE-----


  • Next message: CERT Advisory: "CERT Summary CS-2003-04"

    Relevant Pages

    • CERT Summary CS-2003-04
      ... Since the last regularly scheduled CERT summary, ... we have documented vulnerabilities in the Microsoft ... We have received reports of W32/Swen.A, W32/Mimail variants, and ... CERT/CC, please visit the CERT/CC Current Activity page. ...
      (Cert)
    • CERT Summary CS-2003-03
      ... CERT Summary CS-2003-03 ... we have seen a large volume of reports related to a mass ... on the exploitation of vulnerabilities in Microsoft's RPC ... CERT/CC, please visit the CERT/CC Current Activity page. ...
      (Cert)
    • CERT Summary CS-2003-03
      ... CERT Summary CS-2003-03 ... we have seen a large volume of reports related to a mass ... on the exploitation of vulnerabilities in Microsoft's RPC ... CERT/CC, please visit the CERT/CC Current Activity page. ...
      (Cert)
    • RE: Top 10 vulnerabilities and open ports.
      ... Top 10 vulnerabilities and open ports. ... ports reports based on the results of the free security scans performed ... Reports are based on the results of tests performed using Nessus ...
      (Pen-Test)
    • Re: OpenVMS Security
      ... > nicely with the contents and the frequency of CERT reports involving ... not reported to CERT would tend to disprove this. ... We have vunerabilites incorrectly reported to CERT ... Intial no-vunerability incorrect CERT response not ...
      (comp.os.vms)